Fixed IP-Hashing and Alt Detection behind Reverse Proxies

src/app/channel/channelManager.js

@@ -14,6 +14,9 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
+//Config
+const config = require('../../../config.json');
+
 //Local Imports
 const channelModel = require('../../schemas/channel/channelSchema');
 const emoteModel = require('../../schemas/emoteSchema');
@@ -90,8 +93,11 @@ module.exports = class{
     }
 
     async validateSocket(socket){
+        //If we're proxied use passthrough IP
+        const ip = config.proxied ? socket.handshake.headers['x-forwarded-for'] : socket.handshake.address;
+
         //Look for ban by IP
-        const ipBanDB = await userBanModel.checkBanByIP(socket.handshake.address);
+        const ipBanDB = await userBanModel.checkBanByIP(ip);
 
         //If this ip is randy bobandy
         if(ipBanDB != null){

src/app/channel/connectedUser.js

@@ -15,6 +15,7 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
 //local imports
+const config = require('../../../config.json');
 const channelModel = require('../../schemas/channel/channelSchema');
 const permissionModel = require('../../schemas/permissionSchema');
 const flairModel = require('../../schemas/flairSchema');
@@ -58,9 +59,15 @@ module.exports = class{
         //Send out the currently playing item
         this.channel.queue.sendMedia(socket);
         
+        //If we're proxied
+        if(config.proxied){
+            //Tattoo hashed IP address from reverse proxy to user account for seven days
+            await userDB.tattooIPRecord(socket.handshake.headers['x-forwarded-for']);
+        }else{
             //Tattoo hashed IP address to user account for seven days
             await userDB.tattooIPRecord(socket.handshake.address);
         }
+    }
 
     socketCrawl(cb){
         //Crawl through user's sockets (lol)

src/controllers/api/account/emailChangeRequestController.js

@@ -38,6 +38,9 @@ module.exports.post = async function(req, res){
             //Get sanatized/validated data
             const {email, pass} = matchedData(req);
 
+            //If we're proxied use passthrough IP
+            const ip = config.proxied ? req.headers['x-forwarded-for'] : req.ip;
+
             //Check to make sure the user is logged in
             if(req.session.user == null){
                 errorHandler(res, "Invalid user!");
@@ -56,7 +59,7 @@ module.exports.post = async function(req, res){
             }
 
             //Generate the password reset link
-            const requestDB = await emailChangeModel.create({user: userDB._id, newEmail: email, ipHash: req.ip});
+            const requestDB = await emailChangeModel.create({user: userDB._id, newEmail: email, ipHash: ip});
 
             //Don't wait on mailer to get back to the browser
             res.sendStatus(200);

src/controllers/api/account/passwordResetRequestController.js

@@ -40,6 +40,9 @@ module.exports.post = async function(req, res){
             //Verify Altcha Payload
             const verified = await altchaUtils.verify(req.body.verification);
 
+            //If we're proxied use passthrough IP
+            const ip = config.proxied ? req.headers['x-forwarded-for'] : req.ip;
+
             //If altcha verification failed
             if(!verified){
                 return errorHandler(res, 'Altcha verification failed, Please refresh the page!', 'unauthorized');
@@ -63,7 +66,7 @@ module.exports.post = async function(req, res){
             }
 
             //Generate the password reset link
-            const requestDB = await passwordResetModel.create({user: userDB._id, ipHash: req.ip});
+            const requestDB = await passwordResetModel.create({user: userDB._id, ipHash: ip});
 
             //Send the reset url via email
             const mailInfo = await mailUtils.mailem(

src/controllers/api/account/registerController.js

@@ -43,6 +43,10 @@ module.exports.post = async function(req, res){
                 return errorHandler(res, 'Altcha verification failed, Please refresh the page!', 'unauthorized');
             }
 
+
+            //If we're proxied use passthrough IP
+            const ip = config.proxied ? req.headers['x-forwarded-for'] : req.ip;
+
             //Would prefer to stick this in userModel.statics.register() but we end up with circular dependencies >:(
             const nukedBans = await userBanModel.checkProcessedBans(user.user);
 
@@ -53,7 +57,7 @@ module.exports.post = async function(req, res){
             }
 
             //Look for ban by IP
-            const ipBanDB = await userBanModel.checkBanByIP(req.ip);
+            const ipBanDB = await userBanModel.checkBanByIP(ip);
 
             //If this ip is randy bobandy
             if(ipBanDB != null){
@@ -68,7 +72,9 @@ module.exports.post = async function(req, res){
                 return errorHandler(res, banMsg.join('<br>'), 'unauthorized');
             }
 
-            await userModel.register(user, req.ip);
+            //Register off of given IP
+            await userModel.register(user, ip);
+
             return res.sendStatus(200);
         }else{
             res.status(400);

src/controllers/api/admin/passwordResetController.js

@@ -34,6 +34,9 @@ module.exports.post = async function(req, res){
             //Find user from input
             const userDB = await userModel.findOne({user});
 
+            //If we're proxied use passthrough IP
+            const ip = config.proxied ? req.headers['x-forwarded-for'] : req.ip;
+
             //If there is no user
             if(userDB == null){
                 //Scream
@@ -41,7 +44,7 @@ module.exports.post = async function(req, res){
             }
 
             //Generate the password reset link
-            const requestDB = await passwordResetModel.create({user: userDB._id, ipHash: req.ip});
+            const requestDB = await passwordResetModel.create({user: userDB._id, ipHash: ip});
 
             //send URL
             res.status(200);

src/utils/sessionUtils.js

@@ -15,6 +15,7 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
 //Local Imports
+const config = require('../../config.json');
 const {userModel} = require('../schemas/user/userSchema');
 const userBanModel = require('../schemas/user/userBanSchema')
 const altchaUtils = require('../utils/altchaUtils');
@@ -32,8 +33,11 @@ module.exports.authenticateSession = async function(user, pass, req){
         //Grab previous attempts
         const attempt = failedAttempts.get(user);
 
+        //If we're proxied use passthrough IP
+        const ip = config.proxied ? req.headers['x-forwarded-for'] : req.ip;
+
         //Look for ban by IP
-        const ipBanDB = await userBanModel.checkBanByIP(req.ip);
+        const ipBanDB = await userBanModel.checkBanByIP(ip);
 
         //If this ip is randy bobandy
         if(ipBanDB != null){
@@ -89,7 +93,7 @@ module.exports.authenticateSession = async function(user, pass, req){
         }
 
         //Tattoo hashed IP address to user account for seven days
-        userDB.tattooIPRecord(req.ip);
+        userDB.tattooIPRecord(ip);
 
         //If we got to here then the log-in was successful. We should clear-out any failed attempts.
         failedAttempts.delete(user);